Threat Research

The Scanner Was the Weapon: 36 Months of Precision Supply Chain Attacks Against DevSecOps Infrastructure | CloudSEK

CloudSek
The Scanner Was the Weapon: 36 Months of Precision Supply Chain Attacks Against DevSecOps Infrastructure | CloudSEK

Keypoints

  • Attackers targeted security and developer infrastructure (vulnerability scanners, CI/CD utilities, compression libraries) because these components run with elevated trust and multiply blast radius when compromised.
  • XZ Utils (Mar 2024) used a long-term contributor persona to inject a build-time backdoor into liblzma that weakened SSH public-key authentication.
  • reviewdog → tj-actions (Mar 2025) abused GitHub org automation and transitive Action dependencies to run a Python memory-scraper on 23,000+ repositories’ CI runners.
  • Trivy/Aqua (Mar 2026) combined pull_request_target abuse, retained bot tokens, tag re-pointing, a binary backdoor, and ICP blockchain C2 for takedown-resistant exfiltration.
  • litellm (PyPI, Mar 2026) uploaded malicious packages using compromised maintainer credentials and used a .pth auto-execution escalation to infect any local Python process.
  • Detection gaps include CI-specific primitives (pull_request_target), transitive dependency trust as lateral movement, blockchain-hosted C2, and common operational failures like missed bot-token rotation; concrete detection signals and mitigations are recommended.

MITRE Techniques

  • [T1195.001 ] Compromise Software Dependencies & Dev Tools – Malicious payload injected into liblzma build stage via binary test files (‘Malicious payload injected into liblzma build stage via binary test files’)
  • [T1554 ] Compromise Client Software Binary – Backdoored binary distributed via legitimate upstream release channels (‘Backdoored binary distributed via legitimate upstream release channels’)
  • [T1027 ] Obfuscated Files or Information – Payload stored in binary test fixtures and de-obfuscated at build time via tr (‘Payload stored in binary test fixtures, de-obfuscated at build time via tr’)
  • [T1036 ] Masquerading – Commits and accounts authored under fake but credible contributor identities (‘Commits authored under a fake but credible contributor identity’)
  • [T1556 ] Modify Authentication Process – Hooked RSA_public_decrypt to weaken SSH public-key authentication (‘RSA_public_decrypt hook weakened SSH authentication at liblzma’)
  • [T1585.001 ] Establish Accounts: Social Media – Fake contributor personas used to pressure maintainers and gain commit access (‘Fake contributor personas used to pressure maintainer’)
  • [T1059.006 ] Command & Scripting: Python – Malicious Python script executed on CI runners to scrape process memory (‘Malicious Python script executed on CI runners to scrape process memory’)
  • [T1552.001 ] Unsecured Credentials: Credentials in Files – /proc/{PID}/mem scraped to locate in-memory GitHub Actions secret JSON structures (‘/proc/{PID}/mem scraped for in-memory GitHub Actions secret JSON structures’)
  • [T1528 ] Steal Application Access Token – GitHub Actions runner tokens and repository secrets extracted from process memory (‘GitHub Actions runner tokens and repository secrets extracted from process memory’)
  • [T1199 ] Trusted Relationship – Transitive dependency chain propagated the poisoned action from reviewdog → tj-actions → 23,000+ repos (‘Transitive dependency chain used to propagate payload from reviewdog → tj-actions → 23,000 repos’)
  • [T1048 ] Exfiltration Over Alternative Protocol – Secrets printed to CI workflow logs as an exfiltration channel (‘Secrets printed to public CI workflow logs as exfiltration channel’)
  • [T1195.002 ] Compromise Software Supply Chain – pull_request_target misconfiguration exploited to steal PATs and force-push tags to malicious commits (‘pull_request_target misconfig exploited to steal PAT; release tags force-pushed to malicious commit’)
  • [T1098 ] Account Manipulation – aqua-bot service account token retained after incomplete credential rotation (‘aqua-bot service account token retained after incomplete credential rotation’)
  • [T1036.005 ] Masquerading: Match Legitimate Name – Dropped sysmon.py to mimic legitimate monitoring artifacts (‘sysmon.py dropped to mimic legitimate sysmon monitoring artifact’)
  • [T1027.002 ] Obfuscated Files or Information: Software Packing – AES-256-CBC + RSA-4096 used to render harvested bundles unrecoverable without attacker private key (‘AES-256-CBC + RSA-4096 encrypted payload rendered irrecoverable without attacker private key’)
  • [T1552 ] Unsecured Credentials – Broad filesystem sweep targeting SSH keys, cloud credentials, Kubernetes tokens, Terraform state, and wallet files (‘Broad filesystem sweep targeting SSH keys, cloud credentials, K8s tokens, TFstate, wallet files’)
  • [T1102 ] Web Service – ICP blockchain node used as primary C2, leveraging non-takedownable infrastructure (‘ICP blockchain node used as primary C2 — first confirmed blockchain-hosted C2 in a supply chain attack’)
  • [T1567.001 ] Exfiltration to Code Repository – Encrypted credential bundle uploaded as a release asset to attacker-created tpcp-docs GitHub repo (‘Encrypted credential bundle uploaded as release asset to attacker-created tpcp-docs GitHub repo’)
  • [T1041 ] Exfiltration Over C2 Channel – Primary exfiltration via HTTPS POST to typosquatted domains (e.g., scan.aquasecurtiy[.]org) (‘Primary exfil via HTTPS POST to typosquatted domain scan.aquasecurtiy[.]org’)
  • [T1546.004 ] Event Triggered Execution: Unix Shell Config – Python .pth file auto-executes on interpreter startup to run malicious payload without import (‘ .pth file auto-executes on every Python interpreter startup without user action’)
  • [T1543.001 ] Create or Modify System Process: Systemd Service – sysmon.service installed as a persistent systemd user service for persistence (‘sysmon.service installed as persistent systemd user service’)
  • [T1611 ] Escape to Host – Privileged Kubernetes pod created in kube-system mounting host filesystem to move from cluster to host (‘created privileged alpine:latest pod in kube-system mounting host filesystem’)

Indicators of Compromise

  • [File name ] build-time test fixtures and entrypoints – tests/files/bad-3-corrupt_lzma2.xz, entrypoint.sh (Trivy v0.69.4 injected) and other artifacts like sysmon.py and litellm_init.pth
  • [Domain ] C2 and exfil endpoints – tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io (ICP blockchain C2), models.litellm.cloud (typosquatted exfil endpoint), and other domains such as scan.aquasecurtiy[.]org
  • [Commit SHA / Tag ] malicious Git metadata and tags – e0198fd2b6e1679e36d32933941182d9afa82f6f (unreachable malicious Trivy commit), v0.69.4 (malicious Trivy release) and repointed tags
  • [File hash ] example injected artifact hashes – entrypoint.sh SHA256 18a24f83e807479438dcab7a… (malicious), parent commit file 07500e81693c06ef7ac6bf210… (legitimate) and other hashes
  • [Package / Repository ] compromised packages and actions – tj-actions/changed-files, reviewdog/action-setup, litellm v1.82.8 (malicious PyPI publish), and trivy-action/setup-trivy
  • [GitHub repo ] attacker-controlled fallback exfil repo – tpcp-docs (public repo used to host encrypted credential bundles) and other attacker repositories used for exfiltration

Read more: https://www.cloudsek.com/blog/the-scanner-was-the-weapon-36-months-of-precision-supply-chain-attacks-against-devsecops-infrastructure

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint